Method and apparatus for local area networks

ABSTRACT

A mechanism for segregating traffic amongst STAs that are associated with a bridge, referred to herein as the personal virtual bridged local area network (personal VLAN), is based upon the use of a VLAN to segregate traffic. The IEEE 802.1Q-1998 (virtual bridged LANs) protocol provides a mechanism that is extended by the invention to partition a LAN segment logically into multiple VLANs. In the preferred embodiment, a VLAN bridge forwards unicast and group frames only to those ports that serve the VLAN to which the frames belong. One embodiment of the invention extends the standard VLAN bridge model to provide a mechanism that is suitable for use within an AP. In a preferred embodiment, the Personal VLAN bridge extends the standard VLAN bridge in at least any of the following ways: VLAN discovery in which a personal VLAN bridge provides a protocol for VLAN discovery; VLAN extension in which a Personal VLAN allows a station to create a new port that serves a new VLAN, or to join an existing VLAN via an authentication protocol; Logical ports in which a Personal VLAN bridge can maintain more than one logical port per physical port, and bridges between ports of any kind; and cryptographic VLAN separation.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims priority to U.S. patent application Ser. No. 11/841,863, filed Aug. 20, 2007, which claims priority to U.S. Pat. No. 7,644,437, filed May 12, 2007, which claims priority to U.S. Pat. No. 7,188,364, filed Jan. 25, 2002, which in turn claims the benefit of U.S. patent application Ser. No. 60/343,307 filed Dec. 20, 2001, all of which are incorporated by reference in their entirety for all purposes.

BACKGROUND OF THE INVENTION

1. Technical Field

The invention relates to local area networks. More particularly, the invention relates to a personal virtual bridged local area network.

2. Description of the Prior Art

An access point (AP) is a link-layer bridge between one or more stations (STAs) and a distribution system (DS). See IEEE 802.11, Wireless LAN Medium Access Control and Physical Layer Specifications, ISO/IEC 8802-11:1999(E), ANSI/IEEE Std 802.11, 1999 Edition. An example of a DS is a LAN segment, or an intranet. An AP enables packets to be transmitted via radio either from a station (STA) to the DS, or from the DS to a STA. An access point therefore has at least two physical ports. One is the DS interface and the other is a radio interface. Multiple STAs, each with their own radio interface, can send packets to the DS by multiplexing the single shared radio interface of an AP. The radio interface operates at a particular frequency and the STAs share the medium through a MAC-PHY protocol that guarantees mutually exclusive access to the medium. The DS also sends packets to STAs by using the same protocol.

The STA of an AP has a Basic Service Set ID (BSSID). It serves to partition 802.11 Basic Service Sets logically. Every STA that associates with an AP shares the AP's BSSID. A frame destined for a group address received by an AP or a STA is discarded if the BSS to which the AP or STA belong does not match the BSSID of the frame. In this sense, the BSSID behaves as a Virtual LAN ID (VID). See IEEE 802.1Q, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks, IEEE Std 802.1Q-1998. Every STA is therefore a member of the same virtual LAN (VLAN) as a consequence of associating with the same AP.

Every STA in a BSS, however, should not share the same VLAN unless the STAs trust each other. Yet in public space deployments, all STAs associated with an AP are required to share the same VLAN when typically there is no trust among them. This can make a STA vulnerable, for instance, to various link-layer attacks launched by an untrusted STA, such as Address Resolution Protocol (ARP) cache re-mapping.

It would be advantageous to provide a mechanism for segregating traffic amongst STAs that are associated with a bridge such that, for example, an untrusted STA associated with said bridge can not be used to launch a link layer (OSI Layer 2) attack on another STA associated with the same bridge.

SUMMARY OF THE INVENTION

The invention provides a mechanism for segregating traffic amongst STAs that are associated with a bridge such that, for example, an untrusted STA associated with said bridge can not be used to launch a link layer (OSI Layer 2) attack on another STA associated with the same bridge. The invention is based upon the use of a VLAN to segregate traffic. The IEEE 802.1Q-1998 (Virtual Bridged LANs) protocol provides a mechanism that is extended by the invention to partition a LAN segment logically into multiple VLANs. In the preferred embodiment, a VLAN bridge forwards unicast and group frames only to those ports that serve the VLAN to which the frames belong. One embodiment of the invention extends the standard VLAN bridge model to provide a mechanism that is suitable for use within an AP.

Suppose an AP is attached to a DS. Every STA that associates with the AP should have an opportunity to create a new VLAN with itself and the DS as its members. This way traffic between trusted and untrusted STAs can be separated even though they associate with the same AP. In general, if the DS comprises multiple VLANs, then the members of any subset of them can be members of the new VLAN. So there should be a way to discover existing VLANs. Furthermore, there should be a protocol for joining an existing VLAN. Creating a VLAN and joining an existing VLAN are both operations that require authentication. The IEEE Std 802.1Q-1998 VLAN model is deficient for such purposes because it does not provide these capabilities. The preferred embodiment of the invention comprises a mechanism for providing such capability, referred to herein as the personal virtual bridged local area network (Personal VLAN).

In a preferred embodiment, the Personal VLAN bridge extends the standard VLAN bridge in at least any of the following ways:

-   -   VLAN discovery: A Personal VLAN provides a protocol for VLAN         discovery (discussed below).     -   VLAN extension/creation: A Personal VLAN bridge allows a station         to create a new port that serves a new VLAN, or to join an         existing VLAN or to join an existing VLAN via an authentication         protocol.     -   Logical ports: A Personal VLAN bridge can maintain more than one         logical port per physical port. It bridges between ports of any         kind. A VLAN's member set is defined in terms of logical and         physical ports. Every logical port has a lifetime controlled by         the bridge.     -   Cryptographic VLAN separation: In a Personal VLAN, a logical         port serves at most one VLAN. However, because there may be more         than one logical port per physical port, more than one VLAN may         exist on a physical port. Traffic within one VLAN is separated         from another VLAN on the same physical port by cryptography. An         authentication code uniquely identifies the VLAN to which the         traffic belongs, while another level of encryption keeps the         traffic private except to members of the VLAN.     -   Layer-2 VLAN support across routers: When an STA can roam and         re-attach to a network at a different bridge, e.g. by         associating with a new AP, the STA can inform the bridge of a         VLAN to which it already belongs. The VLAN may have been created         by a station, e.g. itself, at another bridge that links the VLAN         with one or more logical or physical ports at that bridge. The         STA can maintain its membership in the VLAN at layer 2 even         though the new bridge may be located on a different subnet. This         capability subsumes Mobile IP capability because Mobile IP aims         to retain subnet membership for a station across routers. A         subnet may correspond to a VLAN, but in general it does not.     -   Spanning tree maintenance: A Personal VLAN bridge permits an STA         to create a VLAN where the STA itself is a bridge. A spanning         tree algorithm eliminates cycles among bridges when membership         is granted. The process for joining a personal VLAN enforces         restrictions on VLAN topology that make re-constructing a         spanning tree unnecessary after a new bridge joins a VLAN.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block schematic diagram that illustrates two bridges in a Personal VLAN network according to the invention;

FIG. 2 is a block schematic diagram which shows an embodiment in which station A shares SA1 with bridge 1;

FIG. 3 is a block schematic diagram which shows an embodiment in which stations D and E belong to VLAN5, however, unlike the other stations, they do not share security associations with bridge 1, but rather with personal VLAN bridge 2;

FIG. 4 is a block schematic diagram that shows Personal VLAN discovery according to the invention;

FIG. 5 is a flow diagram that shows the requesting of service for a new VLAN according to the invention;

FIG. 6 is a flow diagram that shows linking of a VLAN served by a logical port at a bridge to one or more VLANs served by physical ports at a bridge according to the invention;

FIG. 7 is a flow diagram that shows inter-station authentication that is triggered when a bridge receives a join-VLAN request whose destination VLAN set consists of a single VLAN served by a logical port according to the invention; and

FIG. 8 is a flow diagram showing ingress filtering a logical ports according to the invention.

DETAILED DESCRIPTION OF THE INVENTION

The presently preferred embodiment of the invention provides a mechanism for segregating traffic amongst STAs that are associated with a bridge such that, for example, an untrusted STA associated with said bridge can not be used to launch a link layer (OSI Layer 2) attack on another STA associated with the same bridge. Those skilled in the art will appreciate that the invention disclosed herein is applicable to a wide range of systems and networks, including but not limited to wired and wireless networks.

The Personal VLAN Bridge Model

The invention is based upon the use of a VLAN to segregate traffic. The IEEE 802.1Q-1998 (Virtual Bridged LANs) protocol provides a mechanism that is extended by the invention to partition a LAN segment logically into multiple VLANs. In the preferred embodiment, a VLAN bridge forwards unicast and group frames only to those ports that serve the VLAN to which the frames belong. One embodiment of the invention extends the standard VLAN bridge model to provide a mechanism that is suitable for use within an AP.

Suppose an AP is attached to a DS. Every STA that associates with the AP should have an opportunity to create a new VLAN with itself and the DS as its members. This way traffic between trusted and untrusted STAs can be separated even though they associate with the same AP. In general, if the DS comprises multiple VLANs, then the members of any subset of them can be members of the new VLAN. So there should be a way to discover existing VLANs.

Furthermore, there should be a protocol for joining an existing VLAN. Creating a VLAN and joining an existing VLAN are both operations that require authentication. The IEEE Std 802.1Q-1998 VLAN model is deficient for such purposes because it does not provide these capabilities. The preferred embodiment of the invention comprises a mechanism for providing such capability, referred to herein as the personal virtual bridged local area network (Personal VLAN).

A presently preferred embodiment of the invention is discussed herein in connection with FIGS. 1-3. It will be appreciated by those skilled in the art that the configurations shown in FIG. 1-3 are provided for purposes of example only and are not intended to limit the configurations with which the invention may be practiced.

FIG. 1 is a block schematic diagram that illustrates two bridges 10, 12. Personal VLAN Bridge 1 (10) has four physical ports 11, 13, 15, 17, two of which 11, 13 are wired Ethernet. The wired ports serve VLAN1 and VLAN2 respectively. The other two ports 15, 17 are wireless Ethernet ports. One of these ports 15 conforms to the high-rate (54 Mbps) 802.11g standard, and the other port 17 conforms to the 802.11a standard. There are three logical ports 19, 21, 23 associated with the 802.11g port. Each logical port has its own security association 25, 27, 29 which is shared by some number of end stations 20, 22, 24 to constitute a separate VLAN.

Station A 20 shares SA1 25 with bridge 1 10, as illustrated in FIG. 2. No other stations share SA1 and so STA A is in a unique VLAN, i.e. VLAN3, represented by a spanning tree whose root is bridge 1.

Stations B and C 22, 24, on the other hand, belong to VLAN4 because they share SA2 27 with bridge 1 (see FIG. 2). This VLAN was created by one of STA A or STA B. Then the other station joined it after being authenticated by the creator. This illustrates case of joining a personal VLAN (see below). VLAN4 is also represented by a spanning tree with bridge 1 as root.

Stations D 16 and E 18 belong to VLAN5. However, unlike the other stations, they do not share security associations with bridge 1 but, rather, with Personal VLAN bridge 2 12 (see FIG. 3). Bridge 2 is the root of a spanning tree for VLAN5 until the tree was extended, making bridge 1 the new root.

In one embodiment, the Personal VLAN bridge extends the standard VLAN bridge in at least any of the following ways:

-   -   VLAN discovery: A Personal VLAN provides a protocol for VLAN         discovery (discussed below).     -   VLAN extension/creation: A Personal VLAN bridge allows a station         to create a new port that serves a new VLAN, or to join an         existing VLAN or to join an existing VLAN via an authentication         protocol.     -   Logical ports: A Personal VLAN bridge can maintain more than one         logical port per physical port. It bridges between ports of any         kind. A VLAN's member set is defined in terms of logical and         physical ports. Every logical port has a lifetime controlled by         the bridge.     -   Cryptographic VLAN separation: In a Personal VLAN, a logical         port serves at most one VLAN. However, because there may be more         than one logical port per physical port, more than one VLAN may         exist on a physical port. Traffic within one VLAN is separated         from another VLAN on the same physical port by cryptography. An         authentication code uniquely identifies the VLAN to which the         traffic belongs, while another level of encryption keeps the         traffic private except to members of the VLAN.     -   Layer-2 VLAN support across routers: When an STA can roam and         re-attach to a network at a different bridge, e.g. by         associating with a new AP, the STA can inform the bridge of a         VLAN to which it already belongs. The VLAN may have been created         by a station, e.g. itself, at another bridge that links the VLAN         with one or more logical or physical ports at that bridge. The         STA can maintain its membership in the VLAN at layer 2 even         though the new bridge may be located on a different subnet. This         capability subsumes Mobile IP capability because Mobile IP aims         to retain subnet membership for a station across routers. A         subnet may correspond to a VLAN, but in general it does not.     -   Spanning tree maintenance: A Personal VLAN bridge permits an STA         to create a VLAN where the STA itself is a bridge. A spanning         tree algorithm eliminates cycles among bridges when membership         is granted. The process for joining a personal VLAN enforces         restrictions on VLAN topology that make re-constructing a         spanning tree unnecessary after a new bridge joins a VLAN.

The presently preferred Personal VLAN bridge model parallels the VLAN model in terms of its rules for tagging frames, determining member/untagged sets, and in terms of components involved with relaying MAC frames, as described in IEEE Std 802.1Q-1998, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks, pp. 28. Extensions to these components in a Personal VLAN bridge are described below.

Personal VLAN Control Channels

Every physical port has a Personal VLAN control channel 40, 42 for sending and receiving control frames and authentication protocol frames. The channel has no security association and is identified by a frame field, e.g. Ethernet Type encoded. Authentication frames are preferably encapsulated using a format such as EAPoL (see IEEE 802.1X, IEEE Standards for Local and Metropolitan Area Networks: Port based Network Access Control, IEEE Std 802.1X-2001) which can handle a variety of authentication protocols.

VLAN Discovery

A Personal VLAN bridge runs server and client VLAN discovery agents 26 and 28, 30, respectively. The server agent responds to information requests, while the client agent issues information requests. An example of such agents is the client and server agents of the Service Location Protocol v2, IETF, RFC 2608. Therefore, a Personal VLAN can discover other VLANs and/or allow the VLANs it serves to be discovered. Discovery (see FIG. 4) involves transmission of a VLAN-DISCOVER frame. In response, a VLAN-OFFER frame is sent to the source MAC address of the discover frame. An offer frame lists all or some of the VLANs served by a bridge and information that can be used to select from among them. There may be more than one offer frame received by a client in response to a discover frame it sent. Transmission of a VLAN-OFFER frame is delayed by some randomly chosen period of time to minimize collisions among responders.

Serving a New VLAN

A Personal VLAN bridge can receive a request to serve a new VLAN. The request contains the VID of the new VLAN. A request is not granted unless the requester is authorized, the request is fresh, and it can be authenticated through a control channel. To serve a new VLAN at a bridge requires making the bridge the root of a spanning tree for the named VLAN. Requesting service for a new VLAN consists of the following steps:

-   -   The bridge receives a request frame with a source MAC address         through the control channel of some physical port. The holder of         that MAC address is the requester (100).     -   Receipt of the request frame initiates an authentication         protocol with the requester through the control channel (102).     -   If the requester cannot be authenticated, or is not authorized         to request VLAN service from the bridge (104), then the request         is discarded (106).     -   If there is no conflict in using the VID requested (105), a new         logical port is created and associated with the physical port         through which the request frame is received (108). This is the         logical port the bridge uses to serve the VLAN. Otherwise, the         bridge negotiates a VID with the requester (110). The VLAN's         filtering rules are determined by a policy for the requester.     -   The port state information is updated for the logical port to         include a security association (SA), shared with the requester         that is in effect for all traffic through that port (112). Only         the holder of the SA can change the logical port state

Upon completion of these steps, a new logical port exists to serve the new VLAN, but the VLAN is not linked to any other VLAN served by the bridge until a request is made to join a particular VLAN. Until this time, the new VLAN is inoperable at the bridge.

Joining a VLAN

A new VLAN served by a bridge must extend one or more existing VLANs served by physical ports of the bridge to be useful. In other words, it must be linked to one or more existing VLANs. Linking the VLAN served by a logical port at a bridge to one or more VLANs served by physical ports at a bridge is performed through a join-VLAN request sent over a control channel. The request does not bridge the VLANs served by the physical ports. Rather, they remain separate yet the new VLAN extends all of them simultaneously.

A join-VLAN request contains the VID V′ of a VLAN served by a logical port P′ of the bridge, referred to herein as the source VLAN, and a set V of VIDs for VLANs served by a set of physical ports P, referred to herein as the destination VLANs. The request aims to link V′ to every VLAN ID in V, or in other words, to allow the requester to join every VLAN in V. The requester has already created V′.

The bridge takes the following steps (see FIG. 6):

-   -   First the request is authenticated (200). This is done with         respect to the SA associated with V′ which was established when         the bridge was asked to serve V′. A simple challenge-response         strategy is used in the preferred embodiment, although other         approaches may be used as appropriate. If authentication fails,         the request is discarded.     -   Logical port P′ is added to the member set of every VID in V         (202), and every physical port in P is added to the member set         of V′ (204). The untagged set of V′ is formed by taking a union         of all untagged sets for VIDs in V (206). If the request frame         contains a null VID in its tag header, or it is untagged, then         P′ is added to the untagged set of every VID in V (208).

The requests to serve a new VLAN and to link it to other VLANs can be combined into one request. Thus, creating a VLAN and joining another can be performed through one authentication process, specifically, the process required for serving a new VLAN.

Joining a Personal VLAN

Joining a personal VLAN, i.e. one served by a logical port, requires special treatment. A Personal VLAN bridge is not authorized to link VLANs served by logical ports because it did not create the ports, unlike its physical ports. In this case, the creator of the logical port authenticates the requester through a mutually-agreed upon protocol, for example, challenge-response. This inter-station authentication (see FIG. 7) is triggered when the bridge receives a join-VLAN request whose destination VLAN set consists of a single VLAN served by a logical port (298).

There are three cases:

-   -   The source and destination VLANs have the same creator, and the         creator issued the join-VLAN request (300). In this case, the         request is discarded (302). Otherwise, a cycle could result in         the bridged VLANs.     -   The source and destination VLANs are identical and the creator         did not issue the request (304). In this case, the creator         authenticates the requester for membership into the Personal         VLAN (306).     -   In all other cases (308), the bridge first authenticates the         request to make sure that the requester is the creator of the         source VLAN (same as step 1 for joining VLANs served by physical         ports only—see above) (310). If authentication succeeds (312),         then the creator authenticates the requester for membership into         the destination VLAN (314).

When joining a personal VLAN, the destination VLAN set is preferably limited to exactly one VLAN, i.e. the source VLAN. It is constrained in this way because the request would otherwise reflect an attempt by a station to bridge a VLAN it does not own to other VLANs, something it is not authorized to do. The owner of a VLAN can join a new VLAN and, as a result, all its member stations also become members of the new VLAN.

Authentication of a requester by a creator is facilitated by a control channel of the bridge and respective Auth/Supplicant modules 50, 52, 54. The bridge uses the channel to relay authentication protocol messages between the creator and requester. Management of the control channel and relaying messages can be implemented using, for example, IEEE 802.1X, IEEE Standards for Local and Metropolitan Area Networks: Port based Network Access Control IEEE Std 802.1X-2001. In the 802.1X model, the requester is the Supplicant and the creator is the Authenticator. If the creator can authenticate the requester, then it shares the SA it holds with the bridge with the requester as well. It is not the bridge's responsibility to decide whether it should share with the requester the SA it holds with the creator. This is the creator's responsibility. There are many ways to achieve sharing. One way is to use the requester's public key to encrypt a Transport-Layer Security (TLS v1.0) pre-master secret from which the SA could be derived at the requester's station.

Ingress Filtering at Logical Ports

A security association contains at least two keys, one for encryption and the other for computing an authentication code, referred to herein as the Message Integrity Code (MIC). Uniquely, the SA is associated with a VLAN. The authentication code is used to limit traffic at the logical port to members of an entire VLAN, while encryption keeps the traffic private except to members. Only stations having the SA belong to the VLAN. There is a single broadcast domain for each SA. All stations having the SA belong to the same broadcast domain. Therefore, no separate encryption key is needed for broadcasts.

A physical port may serve more than one VLAN by virtue of having multiple logical ports associated with it (see FIG. 1). Therefore, unless the frame received at such a port carries a VID, its VLAN classification must use rules beyond port-based classification. See IEEE 802.1Q, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks IEEE Std 802.1Q-1998, D.2.2. Otherwise, there is no way to know at this stage which VID should be assigned from among the VLANs served by the port. It is necessary to identify the logical port through which the frame is received.

See FIG. 8 in connection with the following discussion. If the received frame carries a null VID or is untagged (400), then its source MAC address is used to determine a preliminary VLAN classification (402). This is the PVID of a logical port. If the frame carries a VID, then the VID is used as the preliminary classification instead (404). The preliminary classification is used to index into a table of security associations giving a MIC key (406). The received frame carries a MIC computed over the frame payload using a message digest algorithm, e.g. HMAC-MD5, agreed upon by both the bridge and requester at authentication time and recorded in the SA. The Personal VLAN bridge re-computes the MIC (408), using its MIC key, over the payload of the received frame, and then compares it with the received MIC (410). If they match (412), then the preliminary VLAN classification becomes the final VLAN classification (414). The final classification is used as the value of the VLAN classification parameter of any corresponding data request primitives (416). The frame is then decrypted, using the SA, and then submitted to the IEEE802.1Q Forwarding and Learning Processes (418). Otherwise, the frame is discarded.

Egress Filtering at Logical Ports

In the VLAN bridge model, if the transmission port for a frame that belongs to some VLAN is not in the member set of the VLAN, then the frame is discarded. The same rule applies to all logical transmission ports.

Although the invention is described herein with reference to the preferred embodiment, one skilled in the art will readily appreciate that other applications may be substituted for those set forth herein without departing from the spirit and scope of the present invention. Accordingly, the invention should only be limited by the Claims included below. 

1. An access point for segregating traffic among a plurality of end stations, comprising: a plurality of virtual Basic Service Sets (BSS) wherein each BSS has a unique security association with a set of end stations wherein each BSS sends frames between the set of end stations; a frame having a cryptographic authentication code; the frame having a source media access control (MAC) address to determine a preliminary VLAN classification when the frame carries a null virtual LAN ID; the frame having a virtual LAN ID (VID) as the preliminary VLAN classification when the frame carries the VID; a table of security associations providing a cryptographic authentication code key based on the preliminary VLAN classification wherein the cryptographic authentication code key is used to recomputed a new cryptographic authentication code over a payload of the frame; the new cryptographic authentication code compared with the cryptographic authentication code; the preliminary VLAN classification implemented as a final VLAN classification when the new cryptographic authentication code and the cryptographic authentication code match, wherein the frame is decrypted; and the preliminary VLAN classification not implemented as the final VLAN classification when the new cryptographic authentication code and the cryptographic authentication code do not match, wherein the frame is discarded.
 2. A method for extending VLAN bridging semantics, comprising the steps of: providing an untagged frame and a tagged frame in accordance with the IEEE
 802. 1Q VLAN bridge model; providing a cryptographically encapsulated frame, wherein every encapsulated frame has a VLAN tag that is different from a tag used within tagged frames belonging to said VLAN; providing a trunk port divided into inbound and outbound trunk ports; providing one of said ‘untagged, tagged, and encapsulated frame type for each segment representing a bridged, cryptographic VLAN; transferring traffic between an unencapsulated segment (tagged or untagged) and an encapsulated segment of a same VLAN; and associating with every VLAN two unique VLAN tags, said two unique VLAN tags comprising VID-T, which is used within tagged frames of said VLAN, and VID-E, which is used within encapsulated frames of said VLAN.
 3. The method of claim 2, wherein for each VLAN, there is a unique security association comprising a cryptographic authentication code key for checking integrity and authenticity of frames that are tagged as belonging to said VLAN, and a cryptographic key for ensuring privacy of all frames belonging to said VLAN.
 4. The method of claim 2, wherein said encapsulated frame is encapsulated in accordance with an encrypt-then-MAC method, which comprises the steps of: encrypting a data payload of a frame; and computing a message authentication code over a resulting ciphertext and said frame's sequence number.
 5. The method of claim 2, wherein a tagged set, an untagged set, and an encapsulated set of ports is associated with each VLAN.
 6. The method of claim 2, further comprising the step of: using a security association for a VLAN to verify authenticity and integrity of every frame tagged as belonging to said VLAN, and received at a port in said VLAN1s encapsulated set.
 7. The method of claim 6, further comprising the step of: providing an ingress-filtering rule for said port to determine whether verification occurs.
 8. The method of claim 6, further comprising the step of: using said association to encapsulate tagged and untagged frames belonging to said VLAN cryptographically before sending them from a port in said VLAN's encapsulated set.
 9. An apparatus for sending frames in bridged, cryptographic VMNs, comprising: at least two bridges; a plurality of trunk links wherein every trunk link of said trunk links is associated with the inbound trunk port of one bridge of said at least two bridges and the outbound trunk port of another bridge of said at least two bridges; a plurality of access ports; plurality of access links wherein every access link of said access links is associated with one access port of said access ports; means for representing said VLANs by different encapsulated segments even though they share a same medium, wherein physical separation of said VMNs is cryptographic; and an ingress-filtering rule associated with at least one of said access ports for specifying authenticity checking, wherein a frame received at said one of said access ports is authenticated using a security association for an associated VLAN; wherein, if authentication successful, then said frame is determined to be a member-of an encapsulated segment for said associated VMN.
 10. The apparatus of claim 9, wherein said ingress-filter rule associated with at least one of said access ports specifies authentication and integrity checking for certain of said VLANs.
 11. The apparatus of claim 10, further comprising: an authentication code that is computed over a received frame's ciphertext and sequence number using said security association; wherein, if said authentication code does not match a received authentication code in said frame, then said frame is discarded; and wherein said frame is otherwise determined to belong to an encapsulated segment for an associated VLAN.
 12. The apparatus of claim 9, further comprising: one or more rules for constructing a target port set for a frame received at an inbound port that belongs to the tagged and encapsulated sets of a VLAN; wherein, every port in the encapsulated set of said VLAN that is not a member of the tagged set of said VLAN is removed if said frame is tagged; and wherein, every port in either the tagged or untagged sets of said VLAN that is not a member of the encapsulated set of said VLAN is removed if said frame is encapsulated.
 13. The apparatus of claim 9, further comprising: one or more rules for constructing a forwarding set for a received frame, which rules may comprise any of the following: add a received frame to said forwarding set; add a VLAN tag to a received frame; add the result to said forwarding set; a received frame is cryptographically encapsulated using a security association; a resulting frame is VLAN tagged and added to said forwarding set; remove a VLAN tag from a received frame; add an untagged frame to said forwarding set; a received frame's ciphertext is decrypted using a security association; a resulting frame is untagged and added to said forwarding set; and a received frame's ciphertext is decrypted using a security association; a resulting frame is tagged and added to said forwarding set.
 14. A method for eliminating redundant transfers between LAN segments in a bridged, cryptographic VLAN, comprising the steps of: avoiding transfer of an unencapsulated frame to a VLAN's encapsulated segment more than once in a bridged VLAN where each transfer requires encryption; performing encapsulation once, said encapsulation being shared by all egress ports that belong to said VLAN's encapsulated set across all bridges; and avoiding repeated decapsulation across bridges in said bridged VLAN where each requires decryption.
 15. An apparatus for implementing a transfer point protocol (TPP) in a bridged, cryptographic VLAN, comprising: at least two bridges; a plurality of trunk links wherein every trunk link of said trunk links is associated with an inbound trunk port of one bridge of said at least two bridges and an outbound trunk port of another bridge of said at least two bridges; a plurality of access ports, wherein every access port is assigned to a tagged, untagged, or encapsulated set for a VLAN prior to execution; a plurality of access links wherein every access link of said access links is associated with one access port of said access ports; and means for representing said VLANs by different encapsulated segments even though they share a same medium, wherein physical separation of said VLANs is cryptographic; two link-layer protocols, a first link-layer protocol (TPP-T) for adding outbound ports to the tagged set of a VLAN, and a second link-layer protocol (TPP-E) for adding outbound ports to the encapsulated set of a VLAN; and two frames types, one of said frame types comprising an announce frame, and a second of said frame types comprising a reply frame; wherein each of said frames contains a VLAN ID and a source bridge routing path, where each entry in said path is a unique pair containing a bridge MAC address and three bits, one bit for each LAN segment type, wherein said tagged bit is high if and only if a bridge addressed in said pair has an access port in a tagged set of said VLAN named in said frame, and wherein said untagged and encapsulated bits are set likewise.
 16. A transfer point protocol (TPP) in a bridged, cryptographic VLAN, comprising the steps of: a bridge sending a TPP announce frame to a TPP group address through each of its trunk ports for every VLAN known to it; when a bridge receives an announce frame, said bridge appending to received routing path an entry for itself regarding the received VLAN ID, and forwarding said frame to each of its enabled, outbound trunk ports except the receiving trunk port, wherein if said bridge has no other such trunk ports, then said bridge sending a final routing path and said received VLAN ID in a TPP reply frame to the MAC address that precedes said bridge in said routing path, and wherein the outbound port of a trunk port is treated as: a set of virtual, tagged access ports with one said tagged access port for each VLAN supported by said trunk port; a set of virtual, encapsulated access ports with one said encapsulated access port for each VLAN supported by said trunk port; or a set of virtual, encapsulated or virtual, tagged access ports with one said tagged or encapsulated access port for each VLAN supported by said trunk port; an originating bridge of an announce frame creating a path consisting only of an entry for itself; when a bridge receives a TPP reply frame, said bridge forwarding said reply frame to the bridge MAC address that precedes said bridge in said routing path; and if there is none, discarding said frame.
 17. The protocol of claim 16, wherein when a bridge receives a TPP reply frame on an inbound trunk port, said bridge adds the outbound port corresponding to said inbound trunk port to the encapsulated set for the VLAN ID in said frame if, and only if, said bridge is followed by another bridge in said routing path with an encapsulated access port, and either: said bridge has a tagged or untagged access port for said VLAN ID and no bridge after it in said routing path, up to an including said other bridge, has a tagged or untagged access port; or said bridge has an encapsulated access port for said VLAN ID, or said bridge is preceded by another bridge in said routing path with an encapsulated access port.
 18. The protocol of claim 16, wherein when a bridge receives a TPP reply frame on an inbound trunk port, said bridge adds the outbound port corresponding to said inbound trunk port to the tagged set for the VLAN ID in said frame if, and only if, said bridge is followed by another bridge in said routing path with a tagged or untagged access port, and either: said bridge has an encapsulated access port for said VLAN ID and no bridge after it in said routing path, up to an including said other bridge, has an encapsulated access port; or said bridge has a tagged or untagged access port for said VLAN ID, or said bridge is preceded by another bridge in said routing path with a tagged or untagged access port. 